| #!/usr/bin/env python3 |
| # Copyright 2022 The IREE Authors |
| # |
| # Licensed under the Apache License v2.0 with LLVM Exceptions. |
| # See https://llvm.org/LICENSE.txt for license information. |
| # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
| """ |
| Posts benchmark results to gist and comments on pull requests. |
| |
| Requires the environment variables: |
| |
| - GITHUB_TOKEN: token from GitHub action that has write access on issues. See |
| https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token |
| - COMMENT_BOT_USER: user name that posts the comment. Note this can be different |
| from the user creates the gist. |
| - GIST_BOT_TOKEN: token that has write access to gist. Gist will be posted as |
| the owner of the token. See |
| https://docs.github.com/en/rest/overview/permissions-required-for-fine-grained-personal-access-tokens#gists |
| """ |
| |
| import sys |
| import pathlib |
| |
| # Add build_tools python dir to the search path. |
| sys.path.insert(0, str(pathlib.Path(__file__).parent.with_name("python"))) |
| |
| import argparse |
| import http.client |
| import json |
| import os |
| import requests |
| from typing import Any, Optional |
| |
| from reporting import benchmark_comment |
| |
| GITHUB_IREE_API_PREFIX = "https://api.github.com/repos/iree-org/iree" |
| GITHUB_GIST_API = "https://api.github.com/gists" |
| GITHUB_API_VERSION = "2022-11-28" |
| |
| |
| class APIRequester(object): |
| """REST API client that injects proper GitHub authentication headers.""" |
| |
| def __init__(self, github_token: str): |
| self._api_headers = { |
| "Accept": "application/vnd.github+json", |
| "Authorization": f"token {github_token}", |
| "X-GitHub-Api-Version": GITHUB_API_VERSION, |
| } |
| self._session = requests.session() |
| |
| def get(self, endpoint: str, payload: Any = {}) -> requests.Response: |
| return self._session.get( |
| endpoint, data=json.dumps(payload), headers=self._api_headers |
| ) |
| |
| def post(self, endpoint: str, payload: Any = {}) -> requests.Response: |
| return self._session.post( |
| endpoint, data=json.dumps(payload), headers=self._api_headers |
| ) |
| |
| def patch(self, endpoint: str, payload: Any = {}) -> requests.Response: |
| return self._session.patch( |
| endpoint, data=json.dumps(payload), headers=self._api_headers |
| ) |
| |
| |
| class GithubClient(object): |
| """Helper to call Github REST APIs.""" |
| |
| def __init__(self, requester: APIRequester): |
| self._requester = requester |
| |
| def post_to_gist(self, filename: str, content: str, verbose: bool = False) -> str: |
| """Posts the given content to a new GitHub Gist and returns the URL to it.""" |
| |
| response = self._requester.post( |
| endpoint=GITHUB_GIST_API, |
| payload={"public": True, "files": {filename: {"content": content}}}, |
| ) |
| if response.status_code != http.client.CREATED: |
| raise RuntimeError( |
| f"Failed to create on gist; error code: {response.status_code} - {response.text}" |
| ) |
| |
| response = response.json() |
| if verbose: |
| print(f"Gist posting response: {response}") |
| |
| if response["truncated"]: |
| raise RuntimeError(f"Content is too large and was truncated") |
| |
| return response["html_url"] |
| |
| def get_previous_comment_on_pr( |
| self, |
| pr_number: int, |
| comment_bot_user: str, |
| comment_type_id: str, |
| query_comment_per_page: int = 100, |
| max_pages_to_search: int = 10, |
| verbose: bool = False, |
| ) -> Optional[int]: |
| """Gets the previous comment's id from GitHub.""" |
| |
| for page in range(1, max_pages_to_search + 1): |
| response = self._requester.get( |
| endpoint=f"{GITHUB_IREE_API_PREFIX}/issues/{pr_number}/comments", |
| payload={ |
| "per_page": query_comment_per_page, |
| "page": page, |
| "sort": "updated", |
| "direction": "desc", |
| }, |
| ) |
| if response.status_code != http.client.OK: |
| raise RuntimeError( |
| f"Failed to get PR comments from GitHub; error code: {response.status_code} - {response.text}" |
| ) |
| |
| comments = response.json() |
| if verbose: |
| print(f"Previous comment query response on page {page}: {comments}") |
| |
| # Find the most recently updated comment that matches. |
| for comment in comments: |
| if ( |
| comment["user"]["login"] == comment_bot_user |
| and comment_type_id in comment["body"] |
| ): |
| return comment["id"] |
| |
| if len(comments) < query_comment_per_page: |
| break |
| |
| return None |
| |
| def update_comment_on_pr(self, comment_id: int, content: str): |
| """Updates the content of the given comment id.""" |
| |
| response = self._requester.patch( |
| endpoint=f"{GITHUB_IREE_API_PREFIX}/issues/comments/{comment_id}", |
| payload={"body": content}, |
| ) |
| if response.status_code != http.client.OK: |
| raise RuntimeError( |
| f"Failed to comment on GitHub; error code: {response.status_code} - {response.text}" |
| ) |
| |
| def create_comment_on_pr(self, pr_number: int, content: str): |
| """Posts the given content as comments to the current pull request.""" |
| |
| response = self._requester.post( |
| endpoint=f"{GITHUB_IREE_API_PREFIX}/issues/{pr_number}/comments", |
| payload={"body": content}, |
| ) |
| if response.status_code != http.client.CREATED: |
| raise RuntimeError( |
| f"Failed to comment on GitHub; error code: {response.status_code} - {response.text}" |
| ) |
| |
| def get_pull_request_head_commit(self, pr_number: int) -> str: |
| """Get pull request head commit SHA.""" |
| |
| response = self._requester.get( |
| endpoint=f"{GITHUB_IREE_API_PREFIX}/pulls/{pr_number}" |
| ) |
| if response.status_code != http.client.OK: |
| raise RuntimeError( |
| f"Failed to fetch the pull request: {pr_number}; " |
| f"error code: {response.status_code} - {response.text}" |
| ) |
| |
| return response.json()["head"]["sha"] |
| |
| |
| def _parse_arguments(): |
| parser = argparse.ArgumentParser() |
| parser.add_argument("comment_json", type=pathlib.Path) |
| parser.add_argument("--verbose", action="store_true") |
| verification_parser = parser.add_mutually_exclusive_group(required=True) |
| verification_parser.add_argument("--github_event_json", type=pathlib.Path) |
| return parser.parse_args() |
| |
| |
| def main(args: argparse.Namespace): |
| github_token = os.environ.get("GITHUB_TOKEN") |
| if github_token is None: |
| raise ValueError("GITHUB_TOKEN must be set.") |
| |
| comment_bot_user = os.environ.get("COMMENT_BOT_USER") |
| if comment_bot_user is None: |
| raise ValueError("COMMENT_BOT_USER must be set.") |
| |
| gist_bot_token = os.environ.get("GIST_BOT_TOKEN") |
| if gist_bot_token is None: |
| raise ValueError("GIST_BOT_TOKEN must be set.") |
| |
| comment_data = benchmark_comment.CommentData( |
| **json.loads(args.comment_json.read_text()) |
| ) |
| # Sanitize the pr number to make sure it is an integer. |
| pr_number = int(comment_data.unverified_pr_number) |
| |
| pr_client = GithubClient(requester=APIRequester(github_token=github_token)) |
| if args.github_event_json is None: |
| github_event = None |
| else: |
| github_event = json.loads(args.github_event_json.read_text()) |
| workflow_run_sha = github_event["workflow_run"]["head_sha"] |
| pr_head_sha = pr_client.get_pull_request_head_commit(pr_number=pr_number) |
| # We can't get the trusted PR number of a workflow run from GitHub API. So we |
| # take the untrusted PR number from presubmit workflow and verify if the PR's |
| # current head SHA matches the commit SHA in the workflow run. It assumes |
| # that to generate the malicious comment data, attacker must modify the code |
| # and has a new commit SHA. So if the PR head commit matches the workflow |
| # run with attacker's commit, either the PR is created by the attacker or |
| # other's PR has the malicious commit. In both cases posting malicious |
| # comment is acceptable. |
| # |
| # Note that the collision of a target SHA1 is possible but GitHub has some |
| # protections (https://github.blog/2017-03-20-sha-1-collision-detection-on-github-com/). |
| # The assumption also only holds if files in GCS can't be overwritten (so the |
| # comment data can't be modified without changing the code). |
| # The check will also fail if the PR author pushes the new commit after the |
| # workflow is triggered. But pushing the new commit means to cancel the |
| # current CI run including the benchmarking. So it will unlikely fail for |
| # that reason. |
| if workflow_run_sha != pr_head_sha: |
| raise ValueError( |
| f"Workflow run SHA: {workflow_run_sha} does not match " |
| f"the head SHA: {pr_head_sha} of the pull request: {pr_number}." |
| ) |
| |
| gist_client = GithubClient(requester=APIRequester(github_token=gist_bot_token)) |
| gist_url = gist_client.post_to_gist( |
| filename=f"iree-full-benchmark-results-{pr_number}.md", |
| content=comment_data.full_md, |
| verbose=args.verbose, |
| ) |
| |
| previous_comment_id = pr_client.get_previous_comment_on_pr( |
| pr_number=pr_number, |
| comment_bot_user=comment_bot_user, |
| comment_type_id=comment_data.type_id, |
| verbose=args.verbose, |
| ) |
| |
| abbr_md = comment_data.abbr_md.replace( |
| benchmark_comment.GIST_LINK_PLACEHORDER, gist_url |
| ) |
| if github_event is not None: |
| abbr_md += ( |
| f'\n\n[Source Workflow Run]({github_event["workflow_run"]["html_url"]})' |
| ) |
| if previous_comment_id is not None: |
| pr_client.update_comment_on_pr(comment_id=previous_comment_id, content=abbr_md) |
| else: |
| pr_client.create_comment_on_pr(pr_number=pr_number, content=abbr_md) |
| |
| |
| if __name__ == "__main__": |
| main(_parse_arguments()) |
